Become a Fan

2012.12.30

Information Security Governance is a pig to get right. The
size and age of the organisation does not matter. A startup faces onerous challenges
just as large mature businesses. It is tempting to expect that the problems
scale proportionately.

At the outset a decision has to be made about how data is
going to be received, what special processes will be performed on that data,
how the resulting information will be used to advantage and what to do with it
when it is no longer needed.

When information is produced, whether as needed to perform
commerce or as a product, there must be a process to decide what labels will be
attached to the item. This goes beyond
confidentiality classes and declares the information’s purpose in the
organisation. How is it created? Is it for Finance, HR, Facilities, Marketing?
Where can it be exported? How old can it get? Is it an asset?

The answers to those questions will determine how the
information is protected. There is a lot of technology to help secure data. The
basic tools, many of them free, will go a long way but to do so they have to be
supported with custodial procedures carried out by staff.

Those habits are difficult to establish. When the
organisation is small, information security can be easily discounted as low priority.
When it grows without those foundational habits, it is very difficult to track
what data the organisation is running on, where it is and how best to secure it.

There are also standard approaches for getting to grips with
information exposure such as asset and risk registers and many other tactics to
report the state of the network and the data on it. Coordinating all these
efforts is the challenge. Departments set about ordering their security efforts
and run out of steam when the information is shown to be trans departmental and
possibly carrying a different asset rating in different locations.

Taking the mile high view helps. Look at what the
organisation takes in and what it puts out. Data and process flow diagrams will
show how data meanders in and out the organisation and identify where the information
crosses boundaries, where it becomes vulnerable.

Governing all these disparate efforts may be even bigger
than a pig. Even if handled one leg at time, it is best to know it is a pig you’re
dealing with.

2012.12.23

Imagine 10 Downing being sign posted with “There are no
Firearms at these Premises.“ That is a bold statement for anyone to advertise. If an elected official is a very important person, we can apply
that perception to ourselves also and do our best to protect our valuables.

I have no signs outside of my house. I consider my family
precious and will like to continue living in safety. A big consideration is the
risk of burglary while at home. Yet I feel safe enough. This is because I
consider that there are enough layers of defence that keep me out of harm.

Enough protection relies on enough effectiveness at each
defence point. A Neighbourhood Watch is a remote defence point while locking my
bedroom door is very near to my dear. How many layers I care to put in place
and maintain will depend on how much of a risk I am facing and how much protection
I want to afford. My tactics will be physical, behavioural and attitudinal.

A firearm is a confidential piece of defence. The fastest personal
attack response might be use of the body as in martial arts, after that a
firearm comes close to the speed. It also amplifies human power. To advertise
that my house contains no firearms, I will have to be certain that I can match
an attacker’s power with alternative measures.

In the digital world, owners and thieves constantly chase
advantages from emerging technologies. The Internet is allowing information to
be exchanged in real time. We create, process and publish information on many
different platforms. The purposes are endless. The information needs to be
promiscuous and intact at the same time.

Protecting data integrity is a good strategy. Wherever the
data goes, it carries a certainty that is relied on to maintain proper
behaviour. Hashing is an example of
making a volume of data unique and giving assurance that the information
has not been tampered with.

Encryption renders the data unreadable without authentication.
Another guarantee that abuse of data will be at least costly and at best useless.
These two technologies protect the data at a level where the effects of an
attack are immediate. They are widely available, easy to use, offer good
protection in a wide range of environments and it is a good habit to protect
your assets as best as you could.

2012.12.16

I am tall enough to have difficulty finding the right size clothes. With the success from this year’s weight training I now have to update my wardrobe and that led to a long search for a shop that will supply me with what I need.

I found such a place and have been there a couple of times, even got talked into signing up for their loyalty card. I have a knee jerk reaction to these cards because it seems I’m giving away too much information about myself for too little in return. I took it thinking that I will be back often enough for it to make financial sense.

Recently I got a ‘Welcome to our loyalty scheme’ letter sent to my address. I’ve paid for my purchases with my bank card and I wrote my details for the loyalty scheme in capitals to avoid any errors but yet still I am addressed as Ms Jean Pollonals. How did it ever get to this?

When a new way of using information is started in a company, data integrity must be designed into the process for relaying information from one point to another. We see in this case the shop had two accurate records of my information and yet the marketing department got a corrupted version.

It seems simple to accept the customer’s card payment, give notice that the information will be used for marketing and always refer to that single source. The consequences for this inaccurate information are endless. The Data Protection Act can be called into question here but my take on this is that it’s my responsibility to inform them of the mistake.

I would not like to put a store clerk on the spot having to decide if Mr Sean Pollonais should get the Loyalty Scheme benefits accrued by Ms Jean Pollonals. If that turns out to be a ‘No’, the shop will lose a customer for what was an avoidable reason.

2012.12.09

Computers have instilled habits into staff at every business
processing digital data. There are few systems that never require an initial
log on. Web based accounts use a username and password for access. A truly global
habit.

Application developers have been applying security functions
that force user behaviours that will safeguard information. When users’ input
is verified against a strong password policy, it is forcing a habit on users.
The choice in the matter is removed and the system gets what it requires. The
promise is that this alignment of input and policy improves security across the
system.

Habits can be easily formed when there is a supportive culture
and an accepted argument for the necessity. When information awareness training
includes the value of the information processed on the system, the demand for its
protection is made clear.

Strong passwords, encrypting emails, locking machines on
leaving the desk and classifying documents are examples of good habits that are
difficult to embed in a group. Technology could be used further to enhance the
experience of the habit because in some cases, the user is being asked to do too
much to comply for no apparent gain.

Automating as much of the process makes it easier for users
to contribute to the security effort. I hold a piece of information that
depreciates daily each month ending with a final value of £15. For me it is
worth a lot even at its lowest. I created a habit that assures me of its ease
of use and safety.

My train card is kept in a ticket wallet. I use the ticket
at all barriers and replace it to the wallet each time I pass through a
barrier. There are many times I question why I am replacing the ticket when I
have to use it again at the next end of a station.

Putting the card back in the wallet is now automatic and I never have
to search my belongings for it. I am also assured that I will not drop it
anywhere far from a ticket point along my journeys. The practice is expensive
but no longer onerous.

I do this because I appreciate the value of the ticket. The
security habit that surrounds it is ‘good enough’ because it answers a common
need in my particular circumstance.

2012.12.01

My first job after O’Levels was at National Housing Authority.
My mother worked in the computer room taping punch cards. I was part of a new team
updating incorrect customer records in preparation for a planned project.

The training period went well, the learning materials were properly
prepared and the team was set to go at the end of it. We produced good results
for one week only. We were unable to source vital records to begin any new
files.

For the next month Alison Harris and I designed, got
management support and budget to install a new cross–NHA filing platform. All customer
files were placed into one folder per customer. When a department wants a file,
they can go to that folder to select and compare information.

We worked with pens, paper and cardboard folders, all in a
cage vault which served as the new storage centre. The computers were only used
for the records department, the rest of the NHA was paper based. The new filing
system lasted a couple years before it was computerised and staff work moved digital.
So the team’s objective was completed eventually.

The problem today is same. Information becomes conventional
within a group and it is a challenge to maintain a single mode in a large and
disperse group. The team that manages email accounts uses short names only and
will need a translator whenever that form of ID is used as a pointer to the
same person’s records in Finance.

The data storage, processing and transmitting formats used
in either department are not always compatible. If the practice is to work on
localised information, a dialect forms, so to speak. Departments exchange less
information and the entire group develops costly processes.

The solution is the same. IT uses the advantages of scale and
makes it possible to maintain standards across large groups. The storage
capacity, multiple transfer methods, multiple devices and the ease of
publishing, all make the communication of knowledge and ideas easier. Centralising
the data reduces the need for translators.

2012.11.25

“Lil bit by lil bit, does make big bit!” How many times has
my mother repeated that to me? It was most often aimed at improving my habits
with money. I use it all the time now to approach life as it comes.

I started weight training early this year. It was my first
step back into a gym since I found myself with my face stuck to the sandy floor
of Saga’s gym, decades ago, unable to complete a pushup. The first question this
time was “Why do you want to weight train?”, “I want to be strong.”

I have been manoeuvring towards weights for some time. Year
before I spent each weekday morning doing self-resistance workouts and
strengthening my body and my habits. It’s been a good year on the weight machine
under supervision. I am getting strong. We take measurements every eight weeks
and the improvements are welcomed!

I always leave home early enough to arrive at the machine in
a relaxed focused state. Habits are essential to success. When a goal is
decided and a route is determined, planning should include the incremental habits
that help accomplish the objectives. Habits carry out the support of the
surface processes.

At work I use technology to help maintain good security
habits around the information used by the business. I design ways to do the
right thing in an efficient manner which is supported by constant awareness
training.

We now work with automated systems to complete regular tasks
for preserving data accuracy. Awareness training creates appreciation of the
value of exact information and why it is important to guard the data’s
integrity.

I am still using my mother’s advice when I design these
solutions. There are no simple solutions that will work everywhere. Each goal
is unique and should be treated likewise. Within each project there are new
challenges that are better solved with equally new solutions. Remember to
include the essential and the incremental.

2012.11.17

Today my son is at a mask making workshop at the UK Centre
for Carnival Arts. Hopefully he will get an idea of the transformation mask
wearers report when they don a mask. He is planning to make a set for the
family, perhaps for the Christmas dinner, which will be nice.

I made costumes in Trinidad but never wore one. The nearest
I’ve gotten was in workshops with the great Peter Minshall. In those theatrical
workshops I got the chance to wear his masks and I must say I felt a freedom to
be an other from under the disguise.

On the first day of the Trinidad Carnival there is J’Ouvert
which starts about 2am on the Monday. It’s dark, you get to cover yourself in
mud and party in the streets through the sunrise into the mid-morning. When I
did this, I will walk up to friends and not be recognised. That was a new feeling,
being a genuine stranger to those I knew.

The word ‘mask’ reminded me of my work where at times
information is masked to protect it from unauthorised access. The most
prevalent example is that of test data. When an application is built or
upgraded, it has to be checked before it is placed into the working
environment. The changeover from old to new must appear seamless to the user.

The best way to check an application is by running it with
the data that it will process for the business. This creates a problem of
confidentiality because the people testing the application will now have access
to real data. Imagine a developer having the same view of the company’s salaries
as the people working in the Finance department.

The Data Protection Act does not allow this. If a company
collects a customer’s information in order to process a transaction, it is
expected that the use of that information will be limited to the transaction
only.

This is where data masking comes in. There are different
software techniques that will take real information and prepare it to be
legally processed. This is not the end of the problem though as testers must
also put an application through the rigorous testing of unlikely scenarios
which will crash a program if certain conditions ever come together, such as,
three John Smiths sharing the same post code.

Data masking is analogous to a Carnival headdress in that it
can either simply render the original unrecognisable or it can be used to
present an entirely new essence for novel effect.

2012.11.11

WowWee was a gift for my son in 2008. I felt it best to let
him interact with machines from an early age. I was in for a surprise. WowWee
was more machine than interactive.

Today WowWee is a doorman. Buffed like most, stoic as well.
We’ve removed the batteries so WowWee does not take in any data anymore and has
no ability to react. Perfect for the job! Stands there all day and keeps the
door open. When the door needs closing, gets picked up, placed next to the sofa
and stays there until the door is open again.

WowWee is programmed to follow instructions from a remote
control unit which we’ve lost long ago. Could walk like a human, sees things in
colour including infrared and has a sense of touch. Altogether not impressive
when put into action. The sparkle wears out in a few days when it becomes
apparent that WowWee knows some things but understands nothing.

WowWee will do pretty much the same thing, to the same
remote command, every time. Data in,
action out. That’s the level of understanding, the theory being that
information is the understanding of relationships in data and knowledge is the
understanding of patterns in information. WowWee is appreciated, as an early
step towards machine intelligence that deciphers data.

Businesses benefit when they can derive knowledge from the information
they process. When information is mined to help make tactical decisions, more
value, in the form of knowledge, is extracted from the information and the patterns
within. If WowWee for example decides to move next to the sofa when I get to
the door at around 10:00pm, we can say there is understanding.

Businesses want to detect the patterns contained in their
information. If they be confident that the information is accurate, the answers
to queries can be trusted. Imagine a company running a promotion to all the
Johns on John St in the parish of St John, already aware of how many there are
and what they will most likely be interested in. Micro campaigns.

To effectively do this, the initial data has to be accurate
and when information is moved around the company it has to maintain integrity.
It is a perpetual challenge to spread information to where it is needed, in the
correct state.

The solutions to accomplish this are not limited to
expensive software systems. To maintain information integrity, a culture of
awareness and custody has to become part of the organisation. When information
is interrogated and its results are valued, the necessity for accuracy is
recognised.

2012.11.03

Autumn is surely here. Clocks have gone back, it’s dark on
leaving the office and the streets are covered in soggy leaves. A walk in the countryside
last Sunday was fun with the children shovelling through the heavy leafy carpets
with their feet making that once a year shug, shug sound.

I grew up in Trinidad, 10 degrees north of the Equator where
the pronounced seasons are Rainy and Dry, spread near evenly across the year.
The temperature range is small and so are the daylight differences. In the UK
there are more seasons and the effects of their differences are numerous.

Cycles of life can be observed everywhere. With an average
life span of 70 years, humans are perhaps tuned into those cycles that are
crucial to having a good life but of course there are many others that are to
the extremes of either side of that range. Mosquitoes might live just a couple
days, the leaves on the trees are annual while our Sun has an expected 14
billion year lifespan. It’s only halfway through that so need for a 70 year lifer
to worry.

Inanimate objects have a lifespan also. The ‘life’ might be
debatable but the span is definitely limited. Everything we see around us was
once something else and will be something different in the future. Things we
create will span a fixed amount of time and then no longer be.

Data is like this. We create information to fulfil a
purpose. When it is no longer useful it comes to the end of its lifecycle. The
usefulness though is not limited to its intended purpose because information
can be re-purposed. The biggest concern is that the new purpose will be
criminal.

When a process is designed, the lifecycle of the information
used must be included and preparations must be made for security at all stages.
When that data is no longer needed it must be discarded after an agreed time
and in a manner that gives assurance to all that there is no possibility that
it can end up in the wrong hands and re-purposed to the disadvantage of the
original data owners.

2012.10.27

My wife put together a photo album for my birthday this
week. It was a very good idea because we possess a large number of photos, all
digital, and they are all saved on the computer. We got an external hard drive
where some photos go but to be honest, we never had a process for saving all our
data to one location.

I used to save images to CDs and lost some of those already
because for some reason my new computer does not read those CDs. I should have
checked before getting rid of the old PC. Had I printed them, those images will
have been with me today. So I’m very thankful for the huge effort my wife made
of choosing images, taking them to a print shop and placing them in an album.

This is a common challenge faced when the information
technology is changing rapidly. Storage capacity is now in the Terabytes and we
all are producing information on formats that require more and more storage
volumes. If we intend to retrieve this information in the future, how do we
ensure that it is readable then?

After carved stone, the most durable medium to date is print.
Paper has proven to be very good at carrying forward information. It is not practical
to transfer all present day data to paper as a matter of record but it is
important to set criteria as to what is critical for future reference.

Cloud providers can be a viable option for data storage as
they offer ubiquitous access, expanding volume and the capability to update
storage formats to that of the day. This goes hand in hand with the fact that
data in the Cloud is controlled and secured by the provider and not the data
owner so caveat emptor!

Another strategy will be to own a large storage device and
put in place a regiment of uploading important documents there. If the
technology for retrieving documents change, it would be easier to transform and
then transfer those files to the latest medium.